ADFS 3.0 Setup - Certificate Issue

I am experiencing an issue with setting up ADFS 3.0 on Windows Server 2012 R2. The question is mainly about certificates and how I would use them. I'm wondering which certificates to use, etc, to make this work.

Here is my current scenario -

I currently have a live environment set up, where we have a Domain Controller (Windows Server 2008 Enterprise, this is also the Root CA) and an ADFS Server (Windows Server 2012 R2) based in our corporate network.
I've also set up an ADFS proxy server (Windows Server 2012 R2) which is located in our DMZ perimeter network.

We have a new ticketing system that's recently been implemented, where we want users to be able to get to on the cloud. It's currently  set to use LDAP logins and that works fine, but our organisation is looking to have SSO enabled for it.
I have read through how to set up relying party trusts and claims rules, but I'm stuck on the initial setup - based on a problem where I'm unsure of what certificates to use/issue.

(The design diagram provided is the current setup).

I've created the "ADFS SSL Certificate" template on my Domain Controller to use for ADFS (I've achieved this by using online videos from IT professionals for the ADFS SSL Certificate - example - https://www.youtube.com/watch?t=398&v=y3sPX6T9W28). Bearing in mind, I only used the video to learn how to duplicate a web server template and create an ADFS SSL Certificate, nothing else.

Our ADFS server can enroll for a certificate and it completes the setup fine. I can then verify that ADFS is working by navigating to the SSO page created for ADFS - https://adfs.organisation.local/adfs/ls/IdpInitiatedSignon.aspx. Unfortunately, this isn't what I want to achieve, as this is only for a (.local) address.

I'm unsure on how to approach the scenario so that I can make the ADFS service available outside the organisation, because of the (adfs.organisation.local) predicament.

NOTE: We do have a wildcard certificate for our organisation that sits on a Load Balancer outside the DMZ, lets say it's called "*.organisation.net", but I am not sure how to use this to get the ADFS setup working outside of my organisation.

I am familiar with DNS now and I have average knowledge of certificates, but not enough knowledge for all of this to fulfill the project.

Has anyone done this before in a live environment? Is anyone able to help with my issue and provide knowledge on the subject?

All help is appreciated!!

Thanks,
Jamie
ADFS-3.0---Design--28Highlighted-29.JPG
Jay9020Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
Essentially you want everything setup with the organisation.net cert.

Your internal DNS should have:
adfs.organisation.net pointing to the adfs internal server.

Your external DNS should have
adfs.organisation.net point to the adfs proxy server.

From there the claims rules are configured in the DNS  . . . but I think you're missing the split DNS piece of things.  When you hit the proxy server you should be challenged with the forms authentication, but the internal should use the windows one (/adfs/ls) for pass through.

Let me know if that helps you at all.
0
Jay9020Author Commented:
OK, I think I get what you mean fron the DNS, ADFS and proxy perspective.

Does this mean that I need to set up ADFS again but with the *.organisation.net certificate on my ADFS server in my corporate network, as well as on the proxy too?

I'm also unsure of what to create in a certificate for the Subject Alternative Names if I'm creating the ADFS SSL certificate. Does this just need to have the ADFS.organisation.local name in it? Does it also need to include client and server authentication?
0
Kyle AbrahamsSenior .Net DeveloperCommented:
So the Subject names should be whatever is the URL that the ADFS is going to be hosting.

So for example:

say you want to sso

home.myCo.net  

home.myCo.net becomes a relying party (RP) to adfs.

you need a DNS name for the adfs so that the computer the username is on knows what route to take to get there.

eg:
adfs.myCo.net


so the first time you hit:
home.MyCo.net  it knows that it's an RP . . . checks for a cookie to see if you're authenticated already.  If not, then it will redirect you to adfs.MyCo.net.  On internal, you hit the windows side of things, get authenticated, and get passed right back to the app.  On external,  you hit the proxy server, and get challenged (usually with forms authentication) which when succeeding you will get passed back to the app.

It's possible to role the certificate without re-installing adfs:
http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx


So for the first RP you're going to want 2 dns entries (4 really, 2 for the inside, 2 for the outside) having the RP and the adfs servers as your entries.  After that you get 2 per application, which can be hosted in different environments for your security.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Jay9020Author Commented:
Thanks Kyle. That also makes sense in regards to the Relying Party Trust, etc.

Do I still need to create an ADFS SSL certificate from my root CA (on the Domain Controller) for the ADFS server in my corporate network, or do I need to copy the "*.organisation.net" certificate from Load Balancer and then set up the ADFS server with that?

This was also a pretty good URL for replacing the certificates I found, as I had tried this previously - http://tristanwatkins.com/changing-adfs-url-windows-server-2012-r2/

The eventual outcome is so that our users can go to our cloud ticketing system, say, https://name.saas.com/ hosted by another company and then be able to SSO with it.
0
Jay9020Author Commented:
I've also just thought, our wildcard certificate is registered, as "*.organisation.net", which we do use for things like Exchange's OWA (set up as mail.organisation.net) and users can access this externally with their AD username and password.

**I apologise if I'm going off topic on the above, but I am just trying to understand that set up, so that maybe it will help me understand the ADFS related set up**.

Assuming that something like this works already, would I be able to set up ADFS even though my internal domain is "dc1.business.local" and my ADFS server internally is "adfs1.business.local"?

Sorry, I should have pointed out the certificates to help you understand the issue (if pointing out the names does help!).

External publicly trusted certificate - "*.organisation.net".
Internal domain name / root CA - "dc1.business.local"
0
Kyle AbrahamsSenior .Net DeveloperCommented:
I would recommend going with the organization.net one.

The reason being the proxy server is really only an extension of the ADFS server. I'm 95% positive they use the same certificate, so you need to address the public side.  The wildcard cert will authenticate internally the same way it does externally.  

Let me know if you have more questions.
0
AmitIT ArchitectCommented:
I do this regularly. The URL you used is IDP URL. So, you are ID provide and your Service Provider or SP is going to use your ID for SSO. How to configure it, is that your question? right?, for that you need to exchange your metadata url or xml files with your service provider and same will be given by service provider to your. SP can also give you Post URL to configure. In that case you need to do configure manually from your ADFS main server.

You also need to use same certificate everywhere. You need to purchase it from 3rd party vendor like VeriSign etc. Then you need to add that cert in cert store on all servers, including ADFS Proxy. Once that is done, you need to assign certificate to service account used for ADFS. This need to be done only on main ADFS server. That is the primary one you created first. I assume you have a ADFS farm with SQL as  backend.

Once you and SP configure the SSO. Then SP need to parse the claims sent by you and allow login. Claims depends on SP needs. So, SP will give the URL that user will click and at the backend your SP will redirect it to your ADFS server and ADFS will going to check with your AD server and then it will send that info back to SP and hence allow or deny the login. Also, remember if user is coming from external network or out of domain, user will be asked enter username and password.

Let me know, if that clears your doubt. If you are new to ADFS hire a ADFS expert.
0
Jay9020Author Commented:
Thanks Kyle, I'll go with the "*.organization.net" certificate then.

The "*.organization.net" certificate has been purchased with GoDaddy. Does this mean I need to set up the ADFS server/s with that certificate and import that certificate in to the personal certificate store first?

Also, if I have a service account called "adfsservice", then do I need to update the SPN based on the following guide?

https://technet.microsoft.com/en-us/library/dd807078.aspx
0
Kyle AbrahamsSenior .Net DeveloperCommented:
correct, and after you import the key be sure to grant adfsservice access to the primary key of the wildcard cert in the computer personal store.
0
Jay9020Author Commented:
I've added the wildcard certificate to my ADFS servers personal certificate store, but when running the ADFS setup, it was unable to see the certificate. I also imported the certificate and restarted the ADFS installation but still couldn't see the certificate.

ADFS can only see my certificate that I requested from my domain controller. Am I meant to configure ADFS first with a certificate from my domain controller and then replace the certificate afterwards with my 3rd party certificate?

Amit I've been tasked with the installation of ADFS and to get the SSO up and running, unfortunately no room to hire an ADFS expert unfortunately. This is why I am speaking to you guys on Experts Exchange to get some help!
0
Kyle AbrahamsSenior .Net DeveloperCommented:
So it's easiest if you setup a blank website or application with the certificate installed, adding the host header information and binding your ssl cert to that.

From there when you run the setup it should automatically detect the site and certificate given the url.
0
Jay9020Author Commented:
It looks like I imported the certificate from the load balancer, but it didn't have a private key generated for it. When I went to import it, it wouldn't let me alter the access control.

One of my colleagues assisted with exporting the certificate again and the certificate has now been imported and replaced on ADFS itself.

Now I can't get the default site working, after replacing the certificates and restarting the ADFS service - https://adfs.organisation.net/adfs/ls/IdpInitiatedSignOn.aspx.

Now that I know it was the import causing the problem, I may just quickly do a re-install of my server and run the ADFS setup again with the certificate already imported properly!
0
Jay9020Author Commented:
OK, so now I've got the wildcard certificate configured and everything ran through fine with the ADFS setup.

I can now only browse to "https://localhost/adfs/ls/IdpInitiatedSignon.aspx". I am unable to browse to "https://adfs.organisation.net/adfs/ls/IdpInitiatedSignon.aspx".

I am unsure of what to set on my domain controller on DNS for this. It does sound like I'm going round in circles, so I do apologise!
wildcards.JPG
0
Kyle AbrahamsSenior .Net DeveloperCommented:
you have to setup a DNS entry for adfs in your organization DNS to point at the server where you can browse the localhost url.

if you ping adfs.organisation.net from a command prompt you should match the ip of the server (on both intranet and internet)
0
Jay9020Author Commented:
The current ADFS server is "mhaf-001.organisation.local" and the service name set up with the wildcard certificate is "adfs.organisation.net".

I'm not sure how to add this in DNS, as the name of the local server is not the same zone as the wildcard certificate. I am unsure on how to set this up to make it work?

I can't ping "adfs.organisation.net" at the moment either, obviously because the DNS hasn't been configured for it yet.
0
Kyle AbrahamsSenior .Net DeveloperCommented:
you have to create a forward lookup zone for organisation.net for your dns server.  From there you would add a host adfs with the private IP of the server.

Note that if you do this, you'll have to manage every ip in the organisation.net in your DNS server.  

If you don't want to manage the whole dns zone for organisation.net . . . you can create a zone for adfs.organisation.net and add a host name with a blank record with the private IP address.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jay9020Author Commented:
I created the zone "adfs.organisation.net" and it worked! I've also set the IP address/name in the HOSTS file on my proxy server and everything works fine.

Appreciate your help on this Kyle. All sorted.

Now I just need to configure my relying party trusts, etc!
0
Jay9020Author Commented:
Kyle was professional and understood my design for ADFS. From here Kyle was able to diagnose the issue and run through it with me step-by-step.

We managed to resolve the issue and I am very happy with the result!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.